Nmap - Port Scanning Techniques


Let's dig in deep with Port Scanning Techniques. Port scanning in Nmap is like an art. Experts understand the different types of scan techniques and choose one or a combination for a given task which is well suited. On the other hand, inexperienced users and script kiddies try to solve the problem using a simple SYN scan.

 Alert: Use Nmap as a root user. If you do not have root access type sudo before every Nmap command. 
Only one type of scan be used at a time, expect UDP scan (-sU), and anyone of the SCTP scan types (-sY, -sZ) may be combined with any one of the TCP scan types.
First things first, you can use the help command for Nmap by typing nmap -h


SYN and CONNECT scan

TCP SYN scan (-sS)

  • SYN scan is the most powerful and default scan option.
  • It is stealthy since it never completes TCP connections. 
  • It is fast and can scan up to thousands of ports per second on a fast network. 

TCP connect scan (-sT)

  • Default TCP scan when SYN is not available (Generally when the root privilege is not available).
  • Less efficient as it takes longer time and requires more packets to obtain the same result.
  • In this case, Nmap does not craft rat packets instead the OS sends the request.
  • These kinds of scans are noisier, in terms of IDS. 

UDP and SCTP scan

UDP scan (-sU)

  • Most services run of TCP protocol. UDP services are widely used such as DNS (53), SNMP (161/162), and DHCP (67/68).
  • UDP scanning is generally slower and more difficult than TCP, that is why some security auditors ignore these ports.
  • This option can be combined with an SYN scan (-sS) to check both protocols during the same run.
  • --host-timeout can be used to tell the Nmap do not spend more than a specified time on a single host. The below example will spend a maximum of 2 minutes on each port. 
nmap <IPs> -sU --host-timeout 2m

SCTP INIT scan (-sY)

  • SCTP stands for String Control Transmission Protocol.
  • It is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP.wh
  • It is mostly being used for SS7/SIGTRAN services like cellular networks.
  • This scan is the SCTP equivalent of a TCP SYN scan.

SCTP Cookie ECHO (-sZ)

  • It is a more advanced SCTP scan.
  • It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed.
  • The downside is that SCTP COOKIE ECHO scans cannot differentiate between open and filtered ports, leaving you with the state open|filtered in both cases.

TCP NULL, FIN, and Xmas scans

These scans are the same in behavior except the TCP flag set in the probe packet. These scanned types exploit a subtle loophole in TCP RFC to differentiate OPEN or CLOSED ports. The key advantage of these scan types is that they can possibly sneak through certain non-stateful firewalls.

NULL scan (-sN)

  • Does not set any bits (TCP flag header is 0)

FIN scan (-sF)

  • Sets just the TCP FIN bit.

Xmas scan (-sX)

  • Sets the FIN, PSH, and URG flags, lighting the packet like a Christmas tree thus the name Xmas.

TCP ACK and Window scans

TCP ACK scan (-sA)

  • This scan never determines whether the port is open or open|filtered.
  • It is used to maps out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

TCP Window Scan (-sW)

  • Exactly same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when an RST is returned.

Maimon and IP Protocol scans

TCP Maimon Scan (-sM)

  • This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK
  • Useful on BSD systems as many BSD-derived systems simply drop the packet if the port is open.

IP Protocol Scan (-sO)

  • This scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.
  • This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment